Vulnerability CVE-2022-1941

Vulnerability Name:

CVE-2022-1941 (CCN-237081)

Assigned:

2022-09-22

Published:

2022-09-22

Updated:

2023-06-27

Summary:

protobuf is vulnerable to a denial of service, caused by a parsing vulnerability for the MessageSet type in the ProtocolBuffers. By sending a specially crafted message with multiple key-value per elements, a remote attacker could exploit this vulnerability to cause a crash.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

5.7 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
5.0 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Adjacent Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

5.5 Medium (CCN CVSS v2 Vector: AV:A/AC:L/Au:S/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Adjacent_Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2022-1941

Source: cve-coordination@google.com
Type: Mailing List, Third Party Advisory
cve-coordination@google.com

Source: cve-coordination@google.com
Type: Third Party Advisory
cve-coordination@google.com

Source: XF
Type: UNKNOWN
protobuf-cve20221941-dos(237081)

Source: CCN
Type: protobuf GIT Repository
A potential Denial of Service issue in protobuf-cpp and protobuf-python

Source: cve-coordination@google.com
Type: Third Party Advisory
cve-coordination@google.com

Source: cve-coordination@google.com
Type: Mailing List
cve-coordination@google.com

Source: cve-coordination@google.com
Type: Mailing List, Third Party Advisory
cve-coordination@google.com

Source: cve-coordination@google.com
Type: Mailing List
cve-coordination@google.com

Source: CCN
Type: SNYK-PYTHON-PROTOBUF-3031740
Denial of Service (DoS)

Source: CCN
Type: IBM Security Bulletin 6827881 (Security QRadar Network Threat Analytics)
IBM Security Network Threat Analytics for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities (CVE-2022-1941, CVE-2022-34749, CVE-2022-1552)

Source: CCN
Type: Mend Vulnerability Database
CVE-2022-1941

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:8035	P	libprotoc20-3.9.2-150200.4.19.2 on GA media (Moderate)	2023-06-20
oval:org.opensuse.security:def:7652	P	libprotobuf-lite20-3.9.2-150200.4.19.2 on GA media (Moderate)	2023-06-12
oval:org.opensuse.security:def:8172	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:8185	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:8197	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:8111	P	Security update for grpc, protobuf, python-Deprecated, python-PyGithub, python-aiocontextvars, python-avro, python-bcrypt, python-cryptography, python-cryptography-vectors, python-google-api-core, python-googleapis-common-protos, python-grpcio-gcp, python-humanfriendly, python-jsondiff, python-knack, python-opencensus, python-opencensus-context, python-opencensus-ext-threading, python-opentelemetry-api, python-psutil, python-pytest-asyncio, python-requests, python-websocket-client, python-websockets (Important) (in QA)	2023-05-18
oval:org.opensuse.security:def:51947	P	Security update for protobuf (Important)	2022-11-09

BACK